Meandering analysis

Why you should not use WordPress

The appeal of WordPress is obvious: cheap and easy, and lots of “developers” know it. The biggest problem with WordPress is that something originally designed as a blog platform, has evolved general CMS features, and is widely used a development platform. The problems are that it has security issues, and is neither flexible nor productive when used a a development platform and cheap developers are not good developers.WordPress is a very easy way to get a site up and running, and I do use it myself for small sites – even this blog still runs WordPress (although it may change). So what is wrong with WordPress?

Security

WordPress has a terrible track record, and WordPress sites are the most frequently targeted by attackers. There have been massive automated attacks mounted on millions of WordPress sites simultaneously. WordPress sites are easy for attacking web crawlers to identify without human intervention so the cost of attack is very low on a per site basis.

WordPress advocates will point to improvements in WordPress itself, and claim it is a lot more secure than it used to be. However, it still suffers from bad design, and a poor attitude – for example, WordPress developers actually encourage letting WordPress alter its own files because they is how their update mechanism works.

Even if WordPress is now adequately secure, even its defenders will usually concede that there are many insecure themes an plugins. As the attraction of WordPress is its wide range of themes and plugins this leaves you with limited choices:

Use WordPress only with bundled themes and plugins. This leaves little reason to use WordPress at all.

Security audit the themes and plugins you use: suddenly its not so cheap or fast to set up a WordPress site.

Develop all themes and plugin especially for your site: this makes WordPress an expensive solution if your site requires any real customisation.

Only use WordPress if you are sure it will do what you want with minimal customisation and only themes and plugins you are sure are secure.

Risk it!

Even being this careful, you still have to deal with the fact that a WordPress site is far more likely to be attacked. Even an unsuccessful attack can cause problems (slower site performance, bandwidth consumption from repeated attacks etc.). Certainly, you can (doing a bit more work) solve these problems, but even then any security hole in WordPress is more likely to lead lead to a breach because it is a popular target for automated attacks.

It is not a framework

People use WordPress for all kinds of websites, and even something that are better described as web apps. They have a bad case of “when all you have is a hammer, everything looks like nail”. Anyone who has used a proper framework will tell you that developing a custom site using WordPress is a far longer and less productive process than using framework like Django, Ruby on Rails, or Symfony. If you are a developers, compare this to this, or even better, this.

Similarly frameworks provide productive ways of generating forms that match database tables, or creating a custom admin interface. The work required to deliver the same custom functionality is dramatically lower.

A (good) framework also takes care of a lot of security issues for you — Django, my favourite framework, generates properly escaped database queries by default, and requires CSRF protection on forms by default, etc.

It uses PHP

PHP is a horrible language, and PHP code is harder to maintain. A developer should remember that there are always a minimum of two developers working on any project — you, and you a few months later, and the other one is an idiot. Hard to read and understand PHP code will create more work later. This is just one of PHP’s many, many faults, which are brilliantly covered in depth in A Fractal of Bad Design.

Again, the end result is to make development slower and maintenance more expensive.

PHP advocates like to point to the many large sites like Facebook that use PHP. PHP has worked so well for Facebook that they have resorted to forking it to address some of its more egregious flaws, but they are still constrained by the need for compatibility so it is still far from being a good language. Facebook also uses many other languages: they have released open source components in Ocaml, Java, C++. D, Haskell and more so they presumably use all those somewhere.

Lots of developers, does not mean lots of good developers

A lot of people like the fact that there are more WordPress developers than those working on any other web platform, many working at cheap rates. The reason for this is that it has a lower barrier to entry: it is easy to learn enough to install WordPress and some plugins, perhaps learn a bit of PHP for simple customisation… now you are a developer!

Of course there are plenty of good PHP developers, but I very much doubt there are more good PHP developers than Python or Ruby web developers. On top of that, good PHP developers are unlikely to be pitching for WordPress work and are probably focusing on more skilled stuff using frameworks. If you want cheap, WordPress is for you, but remember who works for peanuts.

What WordPress is good for

I still run my blog on WordPress, and I have used it for some small sites. It is a very capable blog platform, and is acceptable for small brochure type sites. If you are sure that is all your need, and all you are are likely to need, and have a limited budget, then maybe WordPress is a good option, but:

Ensure you install is security hardened: there is a lot you can do to make it harder for automated attacks to identify your site as WordPress based and make sure it is regularly updated. I will be blogging about that soon.

Use a host that gives you ssh access so that you can use wp-cli to run updates: otherwise you will either have to use the horribly insecure built in update mechanism, or update manually.

You have confidence in the security of any plugins and themes you use.

Pay for a decent developer. No one with real skills is going to work for £5/hour, even in a low cost country.

If it is so bad, why is it popular?

It is not a case of it being popular despite it being bad, but it being bad because it is popular. As long as WordPress was used for what it is best at (a blogging platform) it was fine (apart from some security issues). Even extending its usage to personal and small websites was fine. The problems are:

It is being used for things it was nor originally intended for,

It is so hugely popular that it is by far the most popular target for automated attacks.

The first of these causes a productivity problem: it is better to use the right tool for the job. The second means that security problems are far more likely to be found (by the bad guys) and exploited. I am talking here about automated attacks that attack thousands, or even hundreds of millions, of sites, in the hope of finding some that have a particular weakness. From the point of view of someone running one of those attacks, WordPress is probably the most attractive single target because it is popular,

I am not dead set against WordPress, but I am looking for alternatives, especially for small non-blog sites (perhaps for blogs as well) so please look out blog posts on how that goes.